Detecting Computer Security Attacks by Technical Methods

{LANG_NAVORIGIN} Intrusion Detection
Ajoy Kumar 07/08/2005

IDS and IPS

In this section I will cover details on why IDS system and IPS system should be used and then I will describe in detail technique of data mining that is being used for Network Intrusion Detection. IDS/IPS is topic to them and I will only focus on some of key aspects of IDS and IPS systems.

“Although intrusion detection technology is immature and should not be considered as a complete defense, we believe it can play a significant role in overall security architecture. If an organization chooses to deploy an IDS, a range of commercial and public domain products are available that offer varying deployment costs and potential to be effective. Because any deployment will incur ongoing operation and maintenance costs, the organization should consider the full IDS lifecycle before making its choice.” [6]

IDS and IPS help an organization to mitigate technical risks to an e-business. These systems help capture undetected computer intrusions. IDS and IPS system help establish nature and frequency of attacks on an organization. They offer data for post analysis, and verification of architectural controls. They provide immense information to people responsible for monitoring networks. “Intrusion Detection Systems represent a potentially vital layer of your information security architecture. A variety of IDS/IPS technology variants exist which, when used in concert, can provide necessary protective and detective benefits” [7].

Mining Techniques in Network Intrusion Detection Systems

Traditional methods of intrusion detection are based on signatures of known intrusions. These methods extract features from various data streams and detect intrusion by comparing the features to value set of attack signature database. This database has to be constantly updated manually based on each new intrusion that is discovered. These models are not capable of detecting emerging threats. Also, the latency in life cycle of deployment makes it of limited use. This limitation of signature model has led to self-learning intrusion detection techniques. Data mining techniques fall in two categories:

1. Misuse detection: In case of misuse detection each instance in data set is labeled as ‘normal’ or ‘intrusion’ and learning algorithm is trained over the labeled data. These methods are capable of automatically retaining intrusion detection models on different input data as long as labels are appropriate. They offer high level of success rate over signature based model as models of misuse are created automatically. These models are sophisticated enough for detection variations of attacks.
2. Anomaly detection: It builds models of normal behavior and automatically detects deviations and flagging the violations. One of the new attack detection techniques is based on ‘Profiling’. Let us examine this in detail.

Profiling Work Stations and Servers

This is one of the recent techniques being used by Security practitioners where software is fed with information on interaction of each client workstation and server. This information is exhaustive in terms of number of times interactions happen, typical timings when the interactions happen, time of each engagement etc. This also tracks which client or servers depend on each other for information. Once exact relationship is ready a baseline is prepared. Since network activity is being extensively monitored in all organizations now. Network logs of network activity are fed to this baseline system and then anomalies are searched. These anomalies could be potential attacks or could be change in behavior of Server and Client interactions, it could be even adding new feature to application. This is fairly new technique and has high False Positive Rate. Key elements of techniques are:

• base line
• set of variants

Let us do a reality check on this. This system will probably be generating high False Positive because in a given mid to large organization there are large dynamics. These dynamics are people coming and leaving, transfers, addition of application features, deletion of features, addition and deletion of servers, addition and deletion of applications, changing responsibilities etc. This essentially means ever changing baseline. Can this baseline be ever tracked correctly and kept updated? Answer again is probably Yes and No. No for obvious reasons, that it is a challenging task, Yes, if a company made a Security baseline to be updated as part of process. If a company is CMMI certified and they enhance CMMI process to include Security as part of main process there is a good likely hood that baseline can be tracked and a good protective layer will be spun around securing applications. This generally makes process slower and companies choose not to adhere to it. Basic daunting question that remains open is: Business first or Security first? Many CIO’s lean to business first but as we move into age of compliance and control better solutions are likely to emerge. Another drawback is the inability detect that have not been yet observed.

“The Army High Performance Computing Research Center’s (AHPCRC) research in intrusion detection addresses both misuse and anomaly detection. For misuse detection, standard data mining techniques are not applicable due to following reasons: Intrusion as a class of interest is much smaller, i.e. rarer than the class representing normal network behavior, which renders most classification techniques quite ineffective, There is a need for real-time, incremental, learning from high speed data streams, and (iii) there is a need to have evolvable models which change their characteristics over time” [8]. AHPCRC researchers have created many novel algorithms designed for learning from rare classes which are suited to misuse detection. AHPCRC has made some good inroads with cases where nature of intrusion is unknown. Some algorithms define a new concept of ‘outliners’. Outliner is defined as a point which is very different from rest of data based on some similarity measure. These outliners are key items in using anomaly based approach. AHPCRC has been able to predicate some attacks based on these techniques that could not be detected using SNORT. These techniques are very promising because the data generated from network traffic tends to have a heavy volume, heterogeneity and dimensions. This is almost unacceptable for real time analysis. This new classification and anomaly detection can take advantage of computing and point to specific attacks. Here are few examples where the techniques were successfully used:

• On August 9th, 2002, CERT/CC issued an alert “widespread scanning and possible denial of service activity targeted at the Microsoft-DS service on port 445/TCP” [9]. This was a novel DOS attack that was new in approach. This type of attack was the top ranked outlier on August 13th, 2002, by anomaly detection tool in its regular analysis of University of Minnesota’s traffic monitoring system. Port scan module of SNORT was unable to detect this attack without requiring very large memory, since the port scanning was done at low rate and non-sequentially.
• On June 13th, 2002, CERT/CC issued an alert for an attack “scanning for an Oracle server” [9]. AHPCRC’s tool identified an instance of this attack on August 13th from the UM network flow data by listing it is as the second highest ranked outlier. This type of attack is impossible to detect using any other tools since it was made part of large web scan and human analysts could not have caught it due to overwhelming amount of traffic that needed to be analyzed.

Lately Gartner group has declared ‘IDS is dead’ [9]. IDS have been not very helpful in getting right help to organizations. “Current IDP (detect and protect) is like a police marksman when confronted with hostage and hostage taker – use the wrong weapon (such as a shotgun) and you take out the hostage as well as the criminal.” IDS alerts on something that looks like an attack and produces too many false positives. IPS on other hand is tailored with reduce rules to combat the situation, in case of any attack that is not defined, is just deferred. More rules are needed to deal with large number of attacks. IDS/IPS requires special protection themselves as they are prime targets for obvious reasons. It must be pointed out correlation from IDS/IPS alone it self is not sufficient; that is the reason that Gartner issued such a strong statement, “IDS is dead”. It takes a human to relate events from one occurrence to other and determine that it is attack situation or not. So should we make CIRT or CERT involve in every aspect of running business? Should we be business focused or security centric?

Attack Modeling

This is one of the brand new techniques that are based on using ‘Attack Data’ to detect attacks. Traditionally attack data has not been available to engineers for analysis but with passing of time and long term existence of CERT, NIST, SANS and other organization has led a way to collect attack data. This technique is based on analyzing, modeling, patterning and profiling attack data. This approach is based on modeling ‘attack tree’ [10]. “Attack trees describe a systematic method to categorize system security based on varying attacks”, Schneier [10]. They refine information on attacks by identifying compromise of enterprise security at root level. The way an attacker can compromise an enterprise is by iteratively and incrementally is represented as lower level nodes (leaves) of tree. Root of each tree in forest represent an event that could significantly affect organization’s mission. An enterprise typically has a set of trees or forest relevant to its operation. Each attack path through attack tree signifies uniqueness and effect of a given attack. There are number of ways an enterprise could be attacked.

“A node can be decomposed as”, Moore [10]:

• a set of attack sub-goals, all of which must be achieved for the attack to succeed, that are represented as an AND-decomposition, or
• a set of attack sub-goals, any one of which must be achieved for the attack to succeed, that are represented as an OR-decomposition.

There are graphical and textual representations of AND and OR representations. A typical example of a company’s (for example ACME in here) threat would be

Survivability Compromise: Disclosure of ACME proprietary secrets


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

Above modeling represents possible attack on ACME Corporation. For example Branch 5 and 6 are for technical attacks over the internet, Branch 3 and 4 are based on exploits of trusted insider and physical access.

Now let us see how this modeling is used to detect attacks. This is based on Attack Pattern Reuse which is based on two sub techniques:

1. Attack Patterns
2. Attack Profiles

Attack Patterns: It is a generic representation of a deliberate, malicious attack that commonly occurs in specific contexts [10]. Each attack pattern contains:

• The overall goal of the attack specified by the pattern
• List of preconditions for its use
• The steps for carrying out the attack
• A list of post conditions that are true if the attack is successful

Pre condition is assumptions made about the attacker based on state of enterprise that are necessary for a successful attack. This would include skills, resources, level of risk and knowledge that attacker must posses. Post condition includes knowledge that has been acquired by attacker after attacker has launched a successful attack. Let us consider modeling of Buffer overflow attack.


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

Buffer Overflow attack describes one way for an attacker to exploit with malicious intent a program’s trust in user input. This is an example of Input Validation Attack. SQL injection in databases partially falls under similar category though mode of operations is different. Another example we can refer to is ‘Unexpected Operator Attack’. Instead of relying on input values a susceptible program will not expect certain operators in the input. Let us say a program expects a file name as one of the parameter but the vulnerability is that some pad parameter can be passed. The program vulnerability is exploited when an attacker appends the input file name with a command composition operator (“;” in this example) and a malicious command (removing all files at the current directory and below). The pattern associated with this attack is similar in form to the Buffer Overflow Attack Pattern:


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

Attack patterns can exist at a variety of levels and do not necessarily lead to a direct compromise of information or denial of service. They may simply provide the attacker with information that he or she needs to achieve a goal. Let us take another example of Web Server Attack


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

Attack Profiling: Related attack patterns are put together to an encompassing attack profile. Attack profiles contain:

• A common reference model
• A set of variants
• set of attack patterns
• Glossary of defined terms and phrases

Reference model presents us template with specific variants which is also defined in terms of attack patterns. Attack profiles are standard templates, and are not particular to any single enterprise. If an enterprise has consistent architecture as compared to reference model, they may use profile’s attack patterns to construct attack trees and detect attacks on enterprise. Different attack profiles address different levels of attacker’s access, skills and resources. Attack profiles help refine and define attack trees on different lines of attacks. Let us reconsider Buffer Overflow Attack pattern in terms of Attack Profile. Variants in this model are: User, System, Internet, Firewall and an attacker


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

How to apply Attack Patterns and Attack Profiles

Once attack profile is consistent with enterprise’s architecture, analyst determines attack patterns that are consistent to a profile and use both in conjunction to refine attack tree. Let us look at Buffer Overflow example again. Attacker could achieve goal 5.3.5.2 (i.e., Access sensitive data from privileged account on ACME Web server) by getting access to such a privileged account and then scanning for files that contain sensitive data. Furthermore, the attacker could achieve a sub goal by exploiting buffer overflow vulnerability on the ACME Web server (eg on Gain privileged access to ACME Web server). This is very similar to Buffer Overflow Attack Pattern. We can use the Buffer Overflow Attack Pattern if we instantiate it so that the System under attack is the ACME Web server and the malicious function that is executed provides the attacker with access to a privileged account.


Example from [10], http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf

Let us analyze objective of above techniques. It basically helps document possible attacks, how they can reuse and how an enterprise can find possible attacks and then take steps to mitigate them by profiling and refining. It helps keep enterprise’s mission statement possible. There are number of questions that can be raised on this approach of attack detection: What types of analysis can be performed on attack trees? Is it possible that due to poor correlation between reality and documentation attack trees that are determined really don’t exist? How to cross check attack tress? How does an organization deal with dynamic situation of vulnerability detection and system patching? How does an organization determine on prioritizing the attacks, which branch needs to be addressed first? Is there more structured language for this modeling? Can this be automated with artificial intelligence? What is the level of detail that needs to be put in this attack trees? Attack modeling and refinement helps us refine on basis of known attacks what if there is a new type of attack and has not been profiled; how to model those attacks? Is it really possible to do this in a really large organization in which one part is not aware of what other part is doing? Is it possible to adapt this in Government? Attempting to answer most of above questions raises more questions.

Other Models

1. Diversity in Computers: Since the severity and sophistication of attacks has been rising over years. Groups/ Organizations have been following different ways to combat the situation. Here is yet another approach [11] “Taking their cues from Mother Nature and biodiversity, computer scientists at Carnegie Mellon University and the University of New Mexico are collaborating on a National Science Foundation (NSF)-supported project to study "cyber-diversity" for computer systems as a way to fend off malicious viruses, worms and other cyber attacks.” Basis of this research lies in ‘diversity’ of individuals, ‘monoculture’ of many genetically similar individuals will make them susceptible to same attack pattern (sequence) of infection causing organism. “The existence of the very same flaw on many computers is routinely exploited by attackers via Internet worms such as Code Red, which infected over 350,000 systems in just 13 hours using a single vulnerability. According to Mike Reiter, a professor of electrical and computer engineering and computer science at Carnegie Mellon and associate director of CyLab [11], "We are looking at computers the way a physician would look at genetically related patients, each susceptible to the same disorder.'' "In a more diverse population, one member may fall victim to a pathogen or disorder, while another might not have the same vulnerability." Focus of this approach to introduce diversity in computer systems, so that they are not clones of each other and all critical components of an organization do not fall prey to same vulnerability. According to Stephanie Forrest, professor of computer science at New Mexico [11], “We are investigating various new methods for automating the diversity process at different system levels. Our automated approach has the potential to be more economical and could introduce more diversity into computer systems.” Purpose of this approach is that attacker would have less information about individual computers and would have to attack each computer differently and with frustrated efforts of attacker, attack severity would be localized. Let us examine this closely now, this approach. Unless completely automated this is very difficult to approach. How would large organization support ‘individualized’ machines as it is very inconvenient and expensive effort. If automated how much each machine should look different from other so that it is not vulnerable to same threat. What if attacker in targeted attack is able to analyze the pattern and automate much severe attack? How do organizations deal with employees who are constantly mobile? Would be there issues for them in productivity? This approach may benefit small organizations more than it would benefit large organizations. Earlier approaches to concept of diversity, attack detection by diversity and having different versions of software proved expensive and another drawback was that they developed different vulnerabilities and proved ineffective. Lack of standardization in organization will lead to many more issues aside from cost.
2. PDA Attacks: Attacks are not limited to networked computer systems; they are extended to PDA, Cell phone and variety of embedded systems in cars etc. A research team led by Adrin Perrig, Assistant Professor, Carnegie Mellon, developed new software, SWATT (SoftWare based ATTestation) designed to detect remote malicious attacks (worms and viruses)[12]. "We have designed a special mechanism that can verify the code running on any given remotely embedded system. We can detect the presence of any virus: simple viruses can be detected through their altered memory contents, while more advanced viruses will attempt to hide, but we can detect them since hiding will slow down our code verification." This is a very new and unique concept which is generating interest in ‘detection’ community. According to SWATT team, software is programmed to seek out any possible virus no matter how elaborate virus defense mechanism is. Design of verification is central idea in SWATT. Design ensures that checksum of memory contents returned by embedded device will be correct only if the memory contents of device are same as expected by verifier. “It will be different with high probability if the memory contents of the device differ from the expected contents. This statement about the checksum holds as long as the verifier has the correct view of the embedded device’s hardware configuration” [12]. This essentially means that only way attacker can attack a device is to change the hardware which is impractical. Interesting application of SWATT is for virus checking. If an embedded device is suspected to be infected external verified can ship verification procedure to a device, download enter memory image from the device and use SWATT to ensure that downloaded memory content is same as of device. On the downloaded content, verifier can scan for virus checking. Let us examine this approach; it is very cumbersome to get this model ready for computers as computers get constant software application and patch update and their identifier are constantly changing. Cost associated with this model may be large for computers as compared to embedded device (which are more static in terms of getting updates). Another possible shortcoming is that if a smart attacker changes the memory contents at the time of verification and at the time of use, fooling the system very easily. This is new emerging field and research needs to be done in areas of CPUs with sophisticated architectural features like branch predicators and virtual memory.

Analysis

Detection of attacks is very difficult task and despite the fact that there are numerous layers of security that are deployed for securing an enterprise. Recent example of Choice point tells us that thieves had stolen identities to create legitimate business accounts and attackers had opened 50 accounts to steal information of many thousand consumers. Information stealing included names, addresses, and SSN and credit reports. This ring was operating for over a year, defrauded at least 750 people and the list of victims is growing rapidly. Was Choice point not committed to security - probably it was, did they have layers of security – yes they did. Why was this attack not detected quickly; simple reason is it is difficult to detect attacks. One thing must be pointed out is, that Choice point did not have a CIRT and that hurt them furthermore as an organization [13]. The company recently acknowledged that thieves apparently used previously stolen identities to create what appeared to be legitimate businesses seeking ChoicePoint accounts. The bandits then opened up 50 accounts and received volumes of data on consumers, including names, addresses, Social Security numbers and credit reports. The ring, which operated for more than a year before it was detected, used the information to defraud at least 750 people, according to investigators in California. Company caught the thieves by analyzing pattern of searchers.

Attacks are constantly on rise with no easy respite. According to research done by MessageLabs (scan emails for attacks), in September 2003, only 279 of tens of million mails were phishing⁵ related. By September 2004 number had risen over two million, and during the complete 2004 number had risen to 18 million mails. Simple explanation is attacks are getting sophisticated where common user cannot disassociate a true enterprise from one that is phishing. In fact new brand of pharming attacks make phising attacks as child’s toy. “Pharming⁶ is simply a new name for a relatively old concept: domain spoofing. Rather than spamming you with e-mail requests, pharmers work quietly in the background, "poisoning" your local DNS server by redirecting your Web request somewhere else.” -Robert Vamosi, CNET . Browser is unaware as it is connected to right site. The most dangerous part is that user no longer has to click over email to relay personal information, passwords and other sensitive information to identity attackers. Process of attack is simple and has existing for some time yet there is no easy way to detect this attack and losses for consumers are mounting up to high levels. Companies relying on generic, blanket security products such as out of the box software may find it very difficult to protect against targeted attacks. Software products are unable to identify where a threat has come from, and without a large and focused team of experts it is not possible to have an early warning system for attacks. Targeted attacks can be non technological in nature also, for example a company was threatened with having child pornography sent out in their name, unless a large sum of money was sent to attackers to suspend the attack. In this case it is probably impossible for company to determine where the attack is to come from. In this case golden rule is not to give into blackmailers demands but child pornography being released should be handled appropriately.

A very recent attack that had been launched in March 2005, is a two pronged attack which starts with DNS poisoning, which fools internet traffic to be guided to www.xyz.com instead of intended web site (eg www.ebay.com), which is controlled by attackers. This website then installs number of adware and spyware on victim’s computers. Dunham notes that DNS poisoning attacks, spyware and adware attacks have been around for some time. But, he says, "this [attack] certainly is unprecedented in terms of the methodology and the sheer scope of adware and spyware installed." Let us extend this example of Adware attack (passive attack). “On average, at least 13 Adware components can be found on every user’s machine. Its prevalence is becoming more of a threat than email-borne worries because most consumers use Internet Service Providers that proactively scan and clean email viruses before being delivered to the consumer.”- Dr. Horst Joepen - SVP Strategic Alliances CyberGuard & CEO Webwasher AG - Monday, 2 February 2005. This is not true for web traffic. This Adware is such a big problem because Firewalls do not prevent such attacks. Firewall checks authentication but not the content. Antivirus scanners do not have any signature file in AV database for most of Adware, also they do not analyze the content of transmission and there are no customizable filters to stop such attack. The only possible ways are to have a proper perimeter and protect your desktop. “The risk posed by Web traffic means that all traffic can be considered to be potentially harmful. No company can afford to allow these threats to get access to its network, and even SSL encrypted Web traffic must be considered.” says Dr. Horst Joepen. Such being state, it is very difficult to detect attacks.

With attack sophistication being so high where one attack leads to another there is very little IDS/IPS can do. Attacks like this are becoming nuisance for end users. Unwanted pop-ups, hijacking web connections, bringing computes to crawl and other nuisances are making internet experience painful.

It is no longer the case about detection of attacks after they hit an organization. In changing world dynamics attack must be detected before it hits an organization. Perimeter Security alone is deemed very useless. IT security technology vendors need to change their businesses to respond to these new requirements. Recently, Symantec Chief Executive Officer John Thompson told a packed audience at the RSA Conference in San Francisco, "In the old world, security was different from storage and systems management. Under the new paradigm, those silos go away." Security was one of the drivers behind merger of Symantec and Veritas.

Another example, DDOS attacks are launched by using spoofed IP addresses and by directing broadcast traffic. Is it is possible to detect this attack in the scope of organization, answer to this may be again a yes or a no but things that will help for sure are to implement egress filtering to stop spoofed IP packets from your network and configuring all network components that they do not receive or forward directed broadcast traffic⁷.

Let us consider example concerning strength of SSL; “SSL protects information transmitted by users only as it is passed to target Server”. “If a user inputs their password on-line it is available in the clear as soon as it reaches the web server on the other end” [20]. In case of redirector attack, secure session would end at attacking site before being forwarded to legitimate site. This leaves user data exposed. Detection of such attack is very difficult. It is to be noted such attacks can be prevented by ‘persistent encryption’⁸.

Detection of internal attacks is probably the most difficult task as it is mounted by someone who has the rightful access to the network and uses his/her knowledge, social engineering and other skills to mount the attacks. IDS systems placed at correct locations in the network help detect such attacks. It is important to point out that security awareness in organization helps to an extent to mitigate risk of such attacks. “The logging and reporting of attacks by the internal IDS systems can be used to do much more than detect specific, isolated, and unrelated attacks. By combining the data from all internal IDS systems, system administrators can identify attack trends and patterns. Once attack trends and patterns are identified, the administrators will be more able to identify any network users who pose a threat to network security, have been exhibiting any malicious network behavior, or who are doing anything that is against company policy in general”, Nathan Einwechter [19].

Conclusion

Research in this paper shows that it is very difficult to detect security attacks only by technical tools. It takes human knowledge to put together information from multiple sources and processes to draw inference that an organization is under attack or not under attack. Attack opportunities are getting less due to high emphasis on security but on the other hand attack sophistication is on rise. Security process should be included into standard practices of organizations; it should be worked all the way from inception of a product. There is need for superior technological products which can take information from still more multiple sources and present them to humans. Information technology applications and infrastructure have become very distributed and complex, it is not possible for technology or people alone to determine how to administer it in secure manner. There are some initiatives in industry to combine this multiple points under scheme of Multi-Method attack detection.⁹ In last few days more Security companies are coming up with solutions on Multi-Function¹⁰ Appliances [23]. These appliances are built for purpose of concurrent services and unified management. These integrated products will help for overall cause of security but in the long term solutions organizations have to work for integrating security as part of application and infrastructure development process. As the systems attain a new level of complexity with wireless in the mix, attack detection will become more difficult. It is important for organizations to focus on strengthening identity, use encryption, comply with standards and make security a part of process. In absence of the tight control things could get worst. It is only temporary comfort (oxymoron) that attackers are focused on financial gains; it is matter of time when a mafia or terrorist may demand a ransom from an airline company or a shipping company. Let us secure!

References

3. http://www.cert.org/archive/pdf/IEEE_IDS.pdf
4. Network Security Essentials Second Edition William Stallings, 2003
5. http://www.cert.org/tech_tips/intruder_detection_checklist.html
6. @ Large: The Strange Case of the World's Biggest Internet Invasion by David H. Freedman, Charles C. Mann, 1997.
7. Botnets: Big and Bigger, Bill McCarthy, IEEE Security and Privacy, September/October 2003.
8. http://www.computer.org/software/so2000/pdf/s5042.pdf, John McHugh, Alan Christie, and Julia Allen.
9. http://www.bankinfosecurity.com/?q=node/view/458, Paul Rohmeyer
10. http://www.cs.umn.edu/research/MINDS/talks/DTC_MINDS.pdf#search='AHPCRC%20SNORT', Vipin Kumar, AHPCRC
11. “"Shooting the Hostage": Why Current Generation Intrusion Prevention Systems Fails Business”, http://www.net-security.org/article.php?id=739
12. Attack Modeling for Information Security and Survivability, Andrew P. Moore,Robert J. Ellison,Richard C. Linger March 2001, http://www.sei.cmu.edu/pub/documents/01.reports/pdf/01tn001.pdf
13. http://www.nsf.gov/od/lpa/news/03/pr03130.htm
14. http://www.sciencedaily.com/releases/2005/03/050329130541.htm
15. http://www.detnews.com/2005/technology/0502/22/01-97004.htm
16. http://reviews.cnet.com/4520-3513_7-5670780-1.html
17. http://www.net-security.org/article.php?id=773
18. http://www.net-security.org/article.php?id=765
19. http://www.pcworld.com/resource/article/0,aid,120448,pg,1,RSS,RSS,00.asp
20. http://www.pcworld.com/news/article/0,aid,119694,00.asp
21. http://www.securityfocus.com/infocus/1558
22. Securing your Digital Life, Entrust, www.entrust.com, April 2005.
23. Symantec Internet Security Threat Report, Trends for July 04 – December 04, Volume VII, March 2005.
24. Accurate Attack Protection, Juniper Networks, IDP feature brief.
25. http://newsroom.cisco.com/dlls/2005/prod_050305.html?CMP=ILC-001, May 3, 2005.
26. http://www.att.com/ir/pdf/industry_072204.pdf#search='ed%20amoroso%20attack'
27. Security Warrior, Cyrus Peikari & Anton Chuvakin, 2004.
28. http://www.wordspy.com/words/phishing.asp


¹ Attack may be defined as any malicious activity crossing a network that has been detected by an intrusion detection system or firewall [21].
² 13.6 attacks are categorized for period between July 1, 2004 and December 31, 2004. During same period in 2003 number of attacks was 12.6.
³ Honeypot is a ‘dummy’ target machine set up to observe hackers. A honeynet is a network built around such dummy machines in order to lure and track hackers as they step through the attack process [27].
⁴ “Between July 1, and December 31, 2004, the Microsoft Windows DCOM RPC Interface Buffer Overflow Attack was the third most common attack. It has regained prominence as top attack after ranking tenth in first six months of the year (2004)” – Symantec Internet Security Threat Report [21]
⁵ Phishing is “Creating a replica of an existing Web page to fool a user into submitting personal, financial, or password data” [28].
⁶ Pharming is new breed of attacks. Pharming uses subtle ways to trick users in disclosing their identities and other sensitive information.
⁷ SC Magazine, April 2005, ‘Slam the door on the bad guys’ by John Sterlicchi.
⁸ Persistent Encryption protects data regardless of the session security [20]. Even if the communication intercepted, data is still encrypted.
⁹ Multi Method attacks rely on mechanisms of Stateful signatures, Protocol Anomaly, Backdoor detection, Traffic Anomaly, Network Honeypot, Layer 2 detection, DOS detection, Spoofing detection and Compound Signatures [22].
¹⁰ “An innovative family of multi-function security appliances, that help stop attacks before they spread through the network” [23].














Your IP address will be sent with this e-mail

From e-mail to e-mail